CS590U Access Control: Theory and Practice Lecture 1 (Jan 10) Introduction to the Course Instructor Info n Ninghui Li n Email: [email protected] n Office phone: 765-496-6756 n Office: REC 217C n Office hour n Tuesday 4:20pm to 4:50pm n Thursday 4:20pm to 4:50pm n By appointment Coursework n Readings n before each lecture n Assignments (30%) n problems n review of assigned papers n Mid-term exam (30%) n A project (40%) Check the course homepage Why a Course on Access Control? What is Access Control? n Quote from Security Engineering by Ross Anderson n Its function is to control which principals (persons, processes, machines, …) have access to which resources in the system --- which files they can read, which programs they can execute, and how they share data with other principals, and so on. Access Control is Pervasive n Application n business applications n Middleware n DBMS n Operating System n controlling access to files, ports n Hardware n memory protection, privilege levels Access Control is Important n Quote from Security Engineering n Access control is the traditional center of gravity of computer security. It is where security engineering meets computer science. n TCSEC evaluates security of computer systems based on access control features + assurance Access Control is Interesting n Has (relatively) well-developed theories n 30+ years history n some (quite involved) theory (apparently) not useful for other fields n Many interesting and deep results n Many misconceptions and debates n A large percentage of published works contain serious errors n Corollary: Be skeptical, don’t believe too much what others have said, try form your own opinions Principles of Access Control (Saltzer and Schroeder 75) 1. Economy of mechanism n keep the design as simple and small as possible 2. Fail-safe defaults n default is no-access Principles of Access Control 3. Complete mediation n every access must be checked 4. Open design n security does not depend on the secrecy of mechanism Principles of Access Control 5. Separation of privilege n a system that requires two keys is more robust than one that requires one 6. Least privilege n every program and every user should operate using the least privilege necessary to complete the job Principles of Access Control 7. Least common mechanism n “minimize the amount of mechanism common to more than one user and depended on by all users” 8. Psychological acceptability n “human interface should be designed for ease of use” n the user’s mental image of his protection goals should match the mechanism An Incomplete History of Access Control Research Earlier Years: Time-Sharing Operating Systems n Reference monitors (1972) n Access matrix (1971) n Discretionary access control n trojan horse can leak information Confidentiality n Bell-LaPadula Model n Noninterference (1982) n Nondeducibility (1986) n Covert channel n Proving information flow properties of systems and programs Integrity n Biba model n Clark-Wilson n Chinese Wall Database Access Control n System R approach: grant/revoke, view n Ingres approach (query rewriting) n Multilevel databases n Object/relational databases n Real systems n SQL grant/revoke, view, stored procedures, fine-grained access control n Privacy centric Role-Based Access Control n First in database context n Then a generic access control approach n Constraints n Administration n Extensions Access Control in Distributed Systems n ABLP Logic n Trust management n PolicyMaker, KeyNote, QCM/SD3, Delegation Logic, Binder, RT n Automated trust negotiation Other Topics n Workflow systems n Firewall n Cryptographic approach End of Lecture 1 n Next lecture: n Access matrix n Partial order and lattices n State transition systems.